In talking about the gas pipelines, Mark Weatherford, deputy under secretary for cyber security at the Department of Homeland Security National Protection and Programs Directorate, said they are working with affected private sector companies. “This is just the tip of the iceberg,” Weatherford said during his keynote address Wednesday at the ICSJWG 2012 Spring Conference in Savannah, GA.

Analysis of the malware and artifacts in these cyber attacks shows this is a single campaign with spear-phishing activity dating back to as early as December 2011. Analysis showed the spear-phishing attempts targeted a variety of personnel within these organizations; however, the number of persons targeted has a tight focus. In addition, the emails truly appear as though they came from a trusted member internal to the organization.

ICS-CERT issued an alert (and two updates) to the US-CERT Control Systems Center secure portal library and also sent them to sector organizations and agencies to ensure broad distribution to end users.

These alerts provide early warning indicators of threats and vulnerabilities for the community to act upon quickly.

ICS-CERT is working with multiple organizations to provide remote and onsite analytic assistance to confirm the compromise, extent of infection, and assist in removing it from networks.

ICS-CERT does not recommend enabling the intrusion activity to persist within networks and has been working aggressively with affected organizations to prepare mitigation plans customized to their current network security configurations to remove the threat and harden networks from re-infection.

Combating sophisticated attacks are challenging for any company and therefore, ICS-CERT is working with partners to evaluate a more strategic and layered approach to detecting and mitigating these threats. ICS-CERT is also preparing additional mitigation information that will release in an upcoming advisory.